UCF ID: 02042 |
Control Type: Actionable Reports or measurements |
Status: Live |
Metric guidance
Calculation: The calculation for this metric is # of identified risks that have a defined risk mitigation plan / # of identified risks.
Calculation source: No authority document source of information exists. The following formula was used: the number of identified risks that have been assigned a fix or control to mitigate the risk from occurring divided by the total number of risks that where identified during risk analyses for each business unit (or the organization as a whole) during the reporting period.
The Common Control IDs associated with this metric are as follows:
- • Prioritize and select safeguards based on the risk assessment findings. [UCF Control ID 00707]
• Establish and maintain a risk action plan based on the risk assessment findings. [UCF Control ID 00705]
• Report monitoring statistics to the Board of Directors. [UCF Control ID 00676]
Supporting and supported controls
This control directly supports:
- • Establish and maintain an information risk threshold metrics standard. [UCF Control ID 01694]
There are no supporting controls.
Authority documents complied with:
CISWG Information Security Program Elements, January 10,2005, ISPE10.3; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2
US Federal Security Guidance
The organization must measure and report on the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [ISPE10.3, CISWG Information Security Program Elements, January 10,2005]
General Guidance
The purpose of this measurement is to measure the percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.
